Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Cyber Weekly Flash Briefing 19 June 2020: Widespread Office 365 phishing attacks, new cyber storm as businesses reopen, cyber spies use LinkedIn, largest ever DDoS attack, Ripple20 IoT vulns
Cyber Weekly Flash Briefing 19 June 2020: Widespread Office 365 phishing attacks, new cyber storm as businesses reopen, cyber spies use LinkedIn, largest ever DDoS attack, Ripple20 IoT vulns
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
If you’re pressed for time watch the 60 second quick fire video summary of the top Cyber and InfoSec stories from the last week:
Office 365 Phishing Campaign Exploits Samsung, Adobe and Oxford Servers
Over the last few years, the adoption of Office 365 in the corporate sector has significantly increased. Its popularity has attracted the attention of cyber criminals who launch phishing campaigns specifically to attack the platform. As 90% of cyber-attacks start with a phishing campaign, Office 365 is an attractive target for threat actors who work to evade the continuously introduced security solutions.
Recently, a seemingly unsophisticated Office 365 phishing campaign caught our attention. The attackers abused an Adobe Campaign redirection mechanism, using a Samsung domain to redirect victims to an O365 themed phishing website. The hackers took advantage of the fact that access to a reputable domain, such as Samsung’s, would not be blocked by security software.
To expand their campaign, the attackers also compromised several websites to inject a script that imitates the same mechanism offered by the Adobe redirection service. Further investigation revealed that the actors behind the campaign implemented a few other interesting tricks to hide the phishing kit and avoid detection at each stage of the attack.
Read more here: https://research.checkpoint.com/2020/phishing-campaign-exploits-samsung-adobe-and-oxford-servers/
Guernsey Police warn businesses in Guernsey using Office 365 also targeted by scammers
Guernsey Police are warning local businesses about an online scam targeting users of Office 365.
Officers have been in contact with several businesses using the service who have fallen victim to phishing scams which have allowed hackers access to their email inbox.
The hackers then distribute malicious links to their contacts.
Police say using multi-factor authentication can help keep personal data safe.
Anyone who receives an unexpected email from someone they trust containing a link should contact them directly to make sure they sent it.
As Businesses Reopen, A New Storm Of Cybercrime Activity Looms
There is nothing ordinary about the amount of disruption that will impact our lives moving forward as countries and states reopen following the coronavirus pandemic. In the context of the cloud, disruptions caused by COVID-19 have opened the door to another type of virus: cybersecurity threats. Today we are witnessing a rapid rise of opportunistic cybercriminal activity taking advantage of the chaos created by COVID-19.
Focal concerns about economic recovery and a potential second wave of human infection are abounding. Still, the concern for many companies should also include heightened cybersecurity threats that can easily break companies before they have a chance to relaunch. For the many companies that are already fighting to remain afloat due to challenges faced during COVID-19, a cybersecurity breach could quickly mean the end. As businesses navigate this “new normal,” they must address weaknesses in their IT strategies exposed by COVID-19 and consider implementing a better preparedness plan to avoid long-term damage.
Microsoft: COVID-19 malware attacks were barely a blip in total malware volume
Microsoft says that despite all the media headlines over the past few months, malware attacks that abused the coronavirus (COVID-19) theme have barely been a blip in the total volume of threats the company sees each month.
These COVID-19 attacks included emails carrying malicious file attachments (also referred to as malspam) and emails containing malicious links that redirect users to phishing sites or malware downloads.
According to Microsoft's Threat Protection Intelligence Team, the first attacks abusing a COVID-19 lure started after the World Health Organization (WHO) declared COVID-19 a global pandemic on January 30.
As the world yearned to learn more about this new disease, attacks intensified, and they peaked in March when most of the world's countries enforced stay-at-home measures.
"The week following [the WHO] declaration saw these attacks increase eleven-fold," Microsoft said. "By the end of March, every country in the world had seen at least one COVID-19 themed attack."
Cyber spies use LinkedIn to hack European defence firms
LONDON (Reuters) - Hackers posed as recruiters working for U.S. defence giants Collins Aerospace and General Dynamics (GD.N) on LinkedIn to break into the networks of military contractors in Europe, cyber security researchers said on Wednesday.
The cyber spies were able to compromise the systems of at least two defence and aerospace firms in Central Europe last year by approaching employees with pseudo job offers from the U.S. firms.
The attackers then used LinkedIn’s private messaging feature to send documents containing malicious code which the employees were tricked into opening.
The researcher declined to name the victims, citing client confidentiality, and said it was unclear if any information was stolen. General Dynamics and Collins Aerospace, which is owned by Raytheon Technologies RTX.N, declined immediate comment.
The researchers were unable to determine the identity of the hackers but said the attacks had some links to a North Korean group known as Lazarus, which has been accused by U.S. prosecutors of orchestrating a string of high-profile cyber heists on victims including Sony Pictures and the Central Bank of Bangladesh.
Read more here: https://uk.reuters.com/article/us-cyber-linkedin-hacks/cyber-spies-use-linkedin-to-hack-european-defence-firms-idUKKBN23O2L7
Australian PM says nation under serious state-run 'cyber attack' – Microsoft, Citrix, Telerik UI bugs 'exploited'
Australian Prime Minister Scott Morrison has called a snap press conference to reveal that the nation is under cyber-attack by a state-based actor, but the nation’s infosec advice agency says that while the attacker has gained access to some systems it has not conducted “any disruptive or destructive activities within victim environments.”
Morrison said the attack has targeted government, key infrastructure and the private sector, and was sufficiently serious that he took the courteous-in-a-crisis, but not-compulsory step, of informing the leader of the opposition about the incident. He also said that the primary purpose of the snap press conference was to inform and educate Australians about the incident.
But Morrison declined to state whether Australian defence agencies have identified the source of the attack and said evidence gathered to date does not meet the government’s threshold of certainty to name the attacker.
Read more here: https://www.theregister.com/2020/06/19/australia_state_cyberattack/
Google removes 106 Chrome extensions for collecting sensitive user data
Google has removed 106 malicious Chrome extensions that have been caught collecting sensitive user data.
The 106 extensions are part of a batch of 111 Chrome extensions that have been identified as malicious in a report published this week.
These extensions posed as tools to improve web searches, convert files between different formats, as security scanners, and more.
But in reality the extensions contained code to bypass Google's Chrome Web Store security scans, take screenshots, read the clipboard, harvest authentication cookies, or grab user keystrokes (such as passwords).
Read more here: https://www.zdnet.com/article/google-removes-106-chrome-extensions-for-collecting-sensitive-user-data/
AWS stops largest DDoS attack ever
Amazon has revealed that its AWS Shield service was able to mitigate the largest DDoS attack ever recorded at 2.3 Tbps back in February of this year.
The company's new AWS Shield Threat Landscape report provided details on this attack and others mitigated by its AWS Shield protection service.
While the report did not identify the AWS customer targeted in the DDoS attack, it did say that the attack itself was carried out using hijacked CLDAP (Connection-less Lightweight Directory Access Protocol) web servers and lasted for three days.
https://www.techradar.com/news/aws-stops-largest-ddos-attack-ever
Ripple20 Vulnerabilities Affect Hundreds of Millions of IoT Devices
Zero-day vulnerabilities have been discovered that could impact millions of IoT devices found in data centres, power grids, and elsewhere.
The flaws, dubbed Ripple20, includes multiple remote code execution vulnerabilities and affects "hundreds of millions of devices (or more)."
Researchers named the vulnerabilities Ripple20 to reflect the widespread impact they have had as a natural consequence of the supply chain "ripple-effect" that has seen the widespread dissemination of the software library and its internal flaws.
"A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people," wrote researchers.
Ripple20 reached critical IoT devices involving a diverse group of vendors from a wide range of industries. Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, and Baxter.
Read more: https://www.infosecurity-magazine.com/news/ripple20-vulnerabilities-discovered/
Unpatched vulnerability identified in 79 Netgear router models
A whopping 79 Netgear router models are vulnerable to a severe security flaw that can let hackers take over devices remotely.
The vulnerability has been discovered by two security researchers independently, namely Adam Nichols from cyber-security GRIMM and a security researcher going by the nickname of d4rkn3ss, working for Vietnamese internet service provider VNPT.
According to Nichols, the vulnerability impacts 758 different firmware versions that have been used on 79 Netgear routers across the years, with some firmware versions being first deployed on devices released as far back as 2007.
This lack of proper security protections opens the door for an attacker to craft malicious HTTP requests that can be used to take over the router.
More here: https://www.zdnet.com/article/unpatched-vulnerability-identified-in-79-netgear-router-models/
New Mac malware uses 'novel' tactic to bypass macOS Catalina security
Security researchers have discovered a new Mac malware in the wild that tricks users into bypassing modern macOS app security protections.
In macOS Catalina, Apple introduced new app notarization requirements. The features, baked in Gatekeeper, discourage users from opening unverified apps — requiring malware authors to get more creative with their tactics.
As an example, researchers have discovered a new Trojan horse malware actively spreading in the wild via poisoned Google search results that tricks users into bypassing those protections themselves.
The malware is delivered as a .dmg disk image masquerading as an Adobe Flash installer. But once it's mounted on a user's machine, it displays instructions guiding users through the malicious installation process.
Week in review 08 December 2019: 5,183 breaches in first nine months of 2019, 44 million Microsoft customers found using compromised passwords, US charges Russians over hacking attacks
Week in review 08 December 2019: 5,183 breaches in first nine months of 2019, 44 million Microsoft customers found using compromised passwords, US charges Russians over hacking attacks, VPN vulnerabilities, ransomware attacks on network storage devices, Europol take down counterfeit websites, reward offered for Russian hackers largest yet
Week in review 08 December 2019
Round up of the most significant open source stories of the last week
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
5,183 breaches in first nine months of 2019 exposed 7.9b data records
As many as 7.9 billion data records were leaked, stolen or exposed as a result of 5,183 data breaches that took place in the first nine months of 2019, making it the worst year ever for data breaches.
This alarming statistic was revealed by security firm Risk Based Security which observed that based on recent trends, the number of breached data records could touch 8.5 billion by the end of the year.
The firm also noted that the total number of data breaches worldwide rose by 33.3 percent compared to the mid-year of 2018 and the number of records breached also rose by 112 percent. As many as 3.1 million data records were breached as a result of six data breach incidents that took place between 1 July and 30 September.
The majority of data records were exposed or leaked as a result of accidental exposure of data on the internet by organisations. The fact that hackers are quite willing to take advantage of such data exposure has also led to a rise in the number of breached records.
44 million Microsoft customers found using compromised passwords
Microsoft's identity threat researchers have revealed that 44 million of its users are still using passwords that have previously been compromised in past data breaches.
The 44 million weak accounts comprised both Microsoft Services Accounts (regular users) and Azure AD accounts too, suggesting businesses are not adopting proper password hygiene.
A total of three billion user credentials were checked in a database populated from numerous sources including law enforcement and public databases.
Using the data set of three billion credentials, Microsoft was able to identify the number of users who were reusing credentials across multiple online services.
Microsoft forced a password reset for all of those users who were found to have leaked credentials during the scan which took place between January and March 2019.
Evil Corp: US charges Russians over hacking attacks
US authorities have filed charges against two Russian nationals alleged to be running a global cyber crime organisation named Evil Corp.
An indictment named Maksim Yakubets and Igor Turashev - who remain at large - as figures in a group which used malware to steal millions of dollars in more than 40 countries.
Those affected by the hacks include schools and religious organisations. It is also alleged that Mr Yakubets worked for Russian intelligence.
The attacks are said to be amongst the worst computer hacking and bank fraud schemes of the past decade. The $5m reward being offered for information leading to their arrest and prosecution is the largest yet for catching cyber criminals.
Thursday's indictment came after a multi-year investigation by the US and British law enforcement agencies.
Authorities allege that the group stole at least $100m (£76m) using Bugat malware - known as Dridex.
The malware was spread through so-called "phishing" campaigns, which encouraged victims to click on malicious links sent by email from supposedly trusted entities.
Once a computer was infected, the group stole personal banking information which was used to transfer funds.
A network of money launderers - targeted by the NCA and Britain's Metropolitan Police - were then utilised to funnel the criminal proceeds to members of Evil Corp. Eight members of this network have been sentenced to a total of over 40 years in prison.
New ransomware attacks target your NAS devices, backup storage
New ransomware that targets Network Attached Storage devices and other backup devices has surged in recent months with many users unprepared for the increased level of threat.
As with all ransomware paying the ransom is no guarantee of getting data back and should only ever be an absolute last resort.
With networked and backup storage devices falling victim to ransomware infections that emphasises the need to ensure firms have offline copies of backups. Backups that are that are disconnected from systems cannot themselves be corrupted or fall victim to ransomware and would therefore be a firm’s best bet in being able to recover from such an attack.
https://www.zdnet.com/article/new-ransomware-attack-targets-your-nas-devices-backup-storage/
New vulnerability lets attackers sniff or hijack VPN connections
Academics have disclosed this week a security flaw impacting Linux, Android, macOS, and other Unix-based operating systems that allows an attacker to sniff, hijack, and tamper with VPN-tunneled connections. OpenVPN, WireGuard, and IKEv2/IPSec VPNs are all vulnerable to attacks.
The vulnerability -- tracked as CVE-2019-14899 -- resides in the networking stacks of multiple Unix-based operating systems, and more specifically, in how the operating systems reply to unexpected network packet probes.
According to the research team, attackers can use this vulnerability to probe devices and discover various details about the user's VPN connection status.
Whilst this vulnerability affects Linux, Android, Mac and other Unix-based operating systems this vulnerability is not currently believed to affect Windows based systems.
https://www.zdnet.com/article/new-vulnerability-lets-attackers-sniff-or-hijack-vpn-connections/
Newly discovered Mac malware uses “fileless” technique to remain stealthy
Hackers believed to be working for the North Korean government have upped their game with a recently discovered Mac trojan that uses in-memory execution to remain stealthy.
In-memory execution, also known as fileless infection, never writes anything to a computer hard drive. Instead, it loads malicious code directly into memory and executes it from there. The technique is an effective way to evade antivirus protection because there’s no file to be analyzed or flagged as suspicious.
In-memory infections were once the sole province of state-sponsored attackers. By 2017, more advanced financially motivated hackers had adopted the technique. It has become increasingly common since then.
Europol seizes more than 30,000 counterfeit sites on Cyber Monday
Europol has taken down more than 30,000 different web domains which allowed cyber criminals to sell counterfeit and pirated items online.
The joint operation between 18 member states and the US National Intellectual Property Rights Coordination Centre, with help Eurojust and INTERPOL, included the seizure of articles such as fake medicines, pirated movies, music, software and counterfeit electronics.
In addition, officials identified and froze more than €150 000 (£128,000) in several bank accounts and online payment platforms.
As a result of the coordinated operation, codenamed IOS X (In Our Sites), three arrests have been made and 26,000 "luxury products" have been seized along with the swathe of illicit websites.
The IOS campaign launched in 2014, one that Europol has gained in strength year-on-year, and aims to "make the internet a safer place for consumers by recruiting more countries and private sector partners to participate in the operation and providing referrals".